boats.jpg

Anomaly Detection focus area

The Anomaly Detection focus area of the IAM laboratory contains a number of projects or activities related to detection of anomalies, such as faults, wear, misconfiguration, fraud, intrusions, and adverse activities.

In many monitoring and surveillance contexts it is important to sieve through large amounts of data to detect the few items that "break the pattern", i.e. behave different from the rest. During the last few years the industrial interest in such methods has exploded: It seems everyone has their electronic haystacks in which they need to find the needles.

The IAM laboratory at SICS has been involved in anomaly detection projects since 2000. We have aquired substantial experience in the area, and developed efficient methods for anomaly detection based on Bayesian statistics. The algorithms can search through data from various processes and domains, and find components that behave in an unusual way, or that change their behaviour over time. Below are some examples of successful anomaly detection activities:

Anomaly detection for train maintenance

We have previously developed and evaluated anomaly detection for Regina trains, manufactured by Bombardier Transportation. During operation of the trains, a large amount of event notifications are produced. Some signal serious events that require immediate attention, whereas others are mere warnings or harmless notifications. The algorithms can for instance detect changes in the frequency of seemingly harmless events, which may be early indications of more serious problems. Bombardier Transportation decided to use this method for production use, and during 2008 the algorithms were integrated in Bombardier Transportation's Edgar platform.

Anomaly detection in mobile phone networks

During 2007-2008 we have, within the framework of CNS, further developed the same algorithms for a different task: Alarm filtering in telecom networks. This time the focus was on TelieSonera's mobile phone network, and the event notifications were generated by the mobile stations throughout Sweden. The method scans through the large number of events and quickly detects mobile stations with different event profiles from the others, which indicates that they need service. It also detects correlations and clusters of events, making it possible to aggregate alarms originating from the same problem.

Anomaly detection for maritime domain awareness

During the fall of 2008 we performed a pre-study for MSB (Myndigheten för Samhällsskydd och Beredskap) on how to use anomaly detection for surveillance of ships to detect illegal or dangerous activities. This may lead to a larger cooperation project with partners from Sweden and the USA.